Re: signed by verisign

Thu, 30 Dec 2004 13:09:57 -0800 

Nelson B wrote:

Jan Egil Kristiansen wrote:

When I open https://www.londonstockexchange.co.uk/ in FireFox, I get a warning that the certificate is issued to www.londonstockexchange.com. 


I get that too.  It looks like they are just using a
wrong cert.

But if I click OK, my lower right corneer displays a padlock and a claim that www.londonstockexchange.co.uk is "signed by VeriSign Trust Network". 


OK, so I tried this on my Firefox 1.0 and my Konqueror
3.3.2, and they both gave the same approximate result:

They both loaded the full page in httpS the first time,
then reloaded in http.  Re-entering the httpS just got
a real fast redirect to http.  Wierd.  So I was not able
to check the padlock in either browser.

(FreeBSD 5.3).

That's not true. The connection is encrypted, but it is NOT signed by VeriSign, and thus open to man-in-the-middle attack.

I was responsible for clicking OK, but my click is not binding for VeriSign.

I tend to think that https connections with domain name mismatches should not display the padlock at all, because the encryption can't be trusted. 


It sort of depends on whether the encryption or
the domain name is the important issue, right?

My click indicated that I was willing to view the site without signature and encryption, and the browser should remind me of that decision. 


Anyone agree?  Disagree?

Jan got a signed and
encrypted connection to the .co.uk.  It just
wasn't signed by the .co.uk, instead it was
signed by the .com.  In this case, we might
as well assume that they are totally distinct,
so it could have been PhishMarket.com.

So on that analysis the padlock is wrong.

But, in this case, they are simply using the
wrong cert.  So, at the extreme, LSE could
just as easily used a self-signed cert.  So if
the padlock is ON for a SSC, then it should
be on for a misnamed cert as well.

Hmm... well, not entirely.  Even if they use
a SSC they should still get the name right.

(Which all comes down to trying to crowd
the complex information into the binary
padlock.)

I dunno, I can't make a call.

--
News and views on what matters in finance+crypto:
       http://financialcryptography.com/

_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto

Reply via email to